‘Equation Group’ hackers attacked 30+ nations with NSA-style tech

Russian security experts say that an advanced persistent threat team has infected thousands of computers in more than 30 countries using tools and tactics not unlike what’s already been attributed to the National Security Agency.

Kaspersky Labs of Moscow declined to specifically implicate the
United States and its spy office in a report published by the security firm on
Monday this week. The researchers, however, say that it’s been
monitoring a group of computer hackers that have waged attacks
since 2001 and that share similarities with operations of the
NSA.

The team of malicious actors is dubbed the “Equation Group” in
this week’s Kaspersky report, and the Russian researchers say its
participants have waged cyber-attacks against government
entities, military institutions, telecommunication firms and the
energy sector, among others, pertaining to nations including
Russia, Afghanistan, Pakistan, Syria and dozens more.

According to Kaspersky, the Equation Group has used a
state-of-the-art suite of spy tools and hacks in order to
infiltrate computer networks around the globe and infect those
machines with viruses that give attackers complete access to
machines. The viruses also allow them to embed malicious code and
entry points deep into encrypted partitions that may be
impossible to otherwise identify.

“As we uncover more of these cyber espionage operations we
realize how little we understand about the true capabilities of
these threat actors,” Costin Raiu, head of Kaspersky’s
Global Research and Analysis Team, told Wired.

Yet while Kaspersky has not equated the Equation Group with any
sort of division of the NSA, a former employee of the American
spy agency told Reuters that the Russian researchers were correct
in linking the contents of its latest report with the infamous
surveillance office that has come under heavy attack since many
of its secret operations were exposed by ex-contractor Edward
Snowden starting in June 2013.

For its part, the NSA declined to comment on the report.

According to the research, the toolkit of exploits that is used
by the Equation Group contains striking similarities with Stuxnet
and Flame – powerful pieces of malware that for years have been
attributed to campaigns waged by the US.

Craziest thing: this Equation Group spyware is actually out of
date. Whatever they're using -now- is even stronger. http://t.co/OPnISCAzmV

During the course of its research, Kaspersky discovered a worm
that it believes could have served as a precursor to Stuxnet –
malware widely believed to have been developed by the US and
Israel to help sabotage Iran’s controversial nuclear program.
Dubbed “Fanny,” the newly found worm had features and exploits
that were not included in the first version of Stuxnet. They were
only added later, possibly after the exploits were found to be
effective.

After these new exploits
were added, Stuxnet was able to quickly and more effectively pass
through computers in Iran, even those that were not connected to
the internet.

Researchers even found a new kind of platform – called “GrayFish”
– that allows hackers to re-flash or alter the programming of a
hard drive’s firmware with its own code, which Wired said turns
the machine “into a slave of the attackers.” With this
malware in place, hackers can retain access to a computer even if
the owner reformates the hard drive or completely wipes the
operating system and reinstalls it.

According to Reuters, hacking a hard drive's firmware in this way
would require those involved to have access to the drive's source
code, which, when obtained, could point programmers towards
exploitable weaknesses. It's currently unclear if technology
companies such as Seagate, Western Digital, Toshiba, and about a
dozen or so others shared their source code with the NSA at any
point, but Raiu said there is “zero chance” that someone
could reprogram firmware using public information.

Western Digital said it "has not provided its source code to
government agencies," but other companies did not comment on
the matter.

Meanwhile, former NSA analyst Vincent Liu said the government has
ways to access source code if it deems that necessary.

"They don't admit it, but they do say, 'We're going to do an
evaluation, we need the source code,'" Liu told Reuters.
"It's usually the NSA doing the evaluation, and it's a pretty
small leap to say they're going to keep that source code."

In some cases, such as with GrayFish, the Equation Group’s tools
surpassed those of the “Regin” platform, also used to attack networks
in numerous countries.

“It seems to me Equation Group are the ones with the coolest
toys,” Raiu said to Ars Technica. "Every now and then they
share them with the Stuxnet group and the Flame group, but they
are originally available only to the Equation Group people.
Equation Group are definitely the masters, and they are giving
the others, maybe, bread crumbs. From time to time they are
giving them some goodies to integrate into Stuxnet and
Flame.”

As advanced as these capabilities are, just as significant is
that Kaspersky believes the recently discovered worms are not a
true indication of the Equation Group’s current sophistication.
None of the research dug up is dated to 2014, meaning that
whatever tools the group is working with nowadays could be even
stronger and more innovative than platforms like GrayFish.